Software security breaches add up in recent headlines alone: US$13 million in losses; 45.6 million credit cards stolen; recovery costs at $256 million dollars and mounting; and companies driven into bankruptcy or out of business. Financially motivated targeted attacks are becoming more prevalent, and new vulnerabilities continue to be reported, according to industry research firm Gartner. Eighty percent of companies will suffer an application security incident by 2010, with the cost of a sensitive data break increasing 20 percent per year through 2009, Gartner estimates.
The retail industry has taken notice. Security continues to be top of mind, and retailers are investing heavily in improved security processes to monitor and manage vulnerabilities and control access. Ironically, with all this emphasis on security, Gartner has found little or no correlation between enterprises that spend the most on security and enterprises that are the most secure.
This would seem counterintuitive, but for experts in software security, this finding corresponds with one of the biggest issues retailers face when trying to comply with standards such as the Payment Card Industry Data Security Standard (PCI DSS): not addressing source code vulnerabilities, the underlying causes of security breaches.
Growing Awareness of Software-Based Attacks
While not a new problem, security breaches in 2007 and 2008 have exposed private customer data of high-profile retailers such as TJX, RadioShack, CVS, Neiman Marcus, Gap and the Hannaford Bros. grocery chain, generating negative attention among customers, press and legislators.
Vulnerable software continues to be one of the most common weaknesses exploited by criminals targeting personal information. In reports of the privacy breaches at BJ’s Wholesale, ChoicePoint and DSW, the Federal Trade Commission named specific lapses in security on which it based the imposed penalties, including:
- Storing consumer information in unencrypted files;
- Unnecessarily storing consumer information;
- Not using readily available security measures to limit access between computers on the network and the Internet; and
- Not adequately assessing the vulnerability of computer networks to commonly known or reasonably foreseeable attacks, including “Structured Query Language” (SQL) injection attacks.
These repeated database breaches are taking a large toll on e-commerce. Twenty-four percent of Americans refuse to make online purchases because they fear their financial information will be stolen, according to a study from the Cyber Security Industry Alliance (CSIA). That represents about $3.8 billion in lost transactions, the CSIA estimates. In a nationwide survey of 1,150 adults, CSIA also found that about 50 percent of Internet users are concerned about the safety of their financial information online.
With increased public attention and legislative focus, it is becoming increasingly clear that those responsible for oversights that lead to theft of customers’ identities will face more than public backlash. Combined with losses in customer trust and brand image, liability concerns are strengthening the business case in all industries for tighter protection against identity theft.
Focus on Application Security: Requirement 6.6
The increased focus on application security in the latest revisions of the PCI DSS can be traced directly to many of the recent high profile breaches, where vulnerable software and insecure applications have been the point of access for hackers, and the source of data loss.
Application security represents one of the areas most challenging to retailers subject to PCI regulations. The most recent guidance surrounding the PCI DSS specifically calls out Requirement 6.6. While this requirement is considered by many to be the most difficult in PCI DSS, it strongly reflects the growing industry understanding about the impact of insecure applications on data privacy.
PCI DSS Requirement 6.6, which falls under the main heading of developing and maintaining secure systems and applications, covers the security of Web-facing applications. Specifically, Requirement 6.6 states that all custom application code must be reviewed for common vulnerabilities by an organization that specializes in application security or there must be a Web application firewall installed in front of Web-facing applications.
This requirement will be considered a “best practice” until June 30, 2008, and then it becomes a requirement. This requirement, together with the other detailed requirements of the section, make application security a cornerstone in the drive to protect cardholder data. It is a clear recognition that true data security must begin at the source.
As retailers struggle to avoid being the next victim of targeted attacks and public exposure, they must look to what these breaches can teach them: Data security starts with software security. It is in source code that encryption is enforced, the security of network communications is established, and access control is set — or not. Therefore, it is in the source code that the drive for compliance with the PCI DSS, and the effort to secure private cardholder data, must begin.
Building Compliance In
The increasing attention on secure source code can be linked to the fact that it is the central place where vulnerabilities to credit card data get introduced. It can also be the least expensive place to address them, when source code analysis is performed at the earliest point in the software development life cycle. For organizations charged with PCI compliance, it makes both fiscal and governance sense to introduce source code scanning into the development life cycle for custom and outsourced code. Leaving it solely to the responsibility of an outside organization reduces the financial benefit of early discovery of vulnerabilities and increases the likelihood of project delay and risk.
The leading source code analysis solutions use an extensive vulnerability knowledge base powered by a scanning engine able to scan large amounts of source code efficiently. Today, these vendors offer retailers a way to automatically audit their software in order to certify adherence to security policies and identify areas of potential vulnerability. By scanning the source code itself, this technology generates a practical, reliable security assessment of software in legacy systems or during development. It also allows companies to set and enforce strict requirements for software security controls, including those found by the FTC to be lacking among the major companies that were breached in 2005.
With growing awareness of software vulnerabilities as a critical problem in information security, and withthe availability of accurate, efficient source code vulnerability analysis technologies, implementing securitytesting into software development is occurring much more often, and to a greater degree of success.
Jack Danahy is founder and chief technology officer of Ounce Labs, a provider of software risk analysis solutions.